Dear Lifehacker,
My passwords are strong, but if hackers can convince tech support into thinking they're me with a few easy-to-Google details, what can I really do to protect myself? Also, how can I avoid being unwittingly manipulated by these kinds of attacks?
Signed,
Concerned About Cons

Advertisement

Dear Concerned,
You're right to feel uneasy about hacks that depend only on human vulnerabilities—so-called social engineering hacks. As we've seen recently from the Apple and Amazon exploits uncovered in Mat Honan's hack, skilled hackers can easily bypass technical protections (like strong passwords) and get the information they want just by talking to a person. People are, by far, the weakest link in any security system's chain.

That said, we can all beef up our security through education—knowing common types of social engineering attacks and following essential security precautions. Let's review.

First, What Is Social Engineering?

Social engineering is the art of manipulating people into doing things, particularly security-related—such as giving away computer access or revealing confidential information. Rather than breaking into computer networks or systems, social engineers use psychological tricks on humans.

Advertisement

In many cases, these hackers use small pieces of information to gain trust or access so they can then carry out their cons fully. Here are a few examples:

A hacker might call saying your credit card has been flagged for unusual activity and the bank needs to verify your information (credit card number, mother's maiden name, etc.) before issuing a replacement. He or she will offer up the last four digits of your card and perhaps the date and amount of a recent transaction (things easily found in your trash) to gain your confidence and make this sound legit.

Another classic con is when an attacker poses as someone in your company or a consultant (e.g., tech support—complete with fabricated ID card and clipboard) or another trusted outside authority such as an auditor. With a little confidence, anyone could just tailgate their way into any building.

How to Avoid Being The Victim of a Social Engineering Hack

The most important thing you can do to prevent being socially engineered yourself is to embrace healthy skepticism and always be as vigilant as you can. Just being aware of common tricks puts you one step ahead of the game (but don't get too cocky—remember, question everything).

Advertisement

Never give out any confidential information—or even seemingly non-confidential information about you or your company—whether it's over the phone, online, or in-person, unless you can first verify the identity of the person asking and the need for that person to have that information. You get a call from your credit card company saying your card has been compromised? Say okay, you'll call them back, and call the number on your credit card rather than speaking to whoever called you.

Always remember that real IT departments and your financial services will never ask for your password or other confidential information over the phone.

Minimize The Damage Done from Socially Engineered Attacks

You can protect yourself from phishers, scammers, and identity thieves, but there's only so much you can do if a service you use is compromised or someone manages to convince a company they're you. You can, however, take a couple of preventative measures yourself (some of which we mentioned previously after the recent Apple and Amazon exploits).

This weekend, former Gizmodo writer Mat Honan lived every tech geeks worst nightmare: he got…
Read more Read more

Avoid having all your eggs in one basket (or the dreaded "single point of failure"): The more intertwined and dependent your accounts are the more widespread the damage a security breach can cause you—e.g., if you use your Gmail address for every service's password recovery.

Get creative with security questions: The additional security questions websites ask you to fill in are supposed to be another line of defense, but often these questions are easily guessed or discoverable (e.g., where you were born). You can shift the letters in your answer or use your own special coding system to make sure only you know those security answers.

Use credit cards wisely: Credit cards are the safest way to pay online (better than debit cards or online payment systems like PayPal), because of their strong protections. If you use a debit card and a hacker gets access to the number, your entire bank account could be drained. You can further secure your credit card by not storing card numbers on websites or using disposable or virtual card numbers (offered by Citibank, Bank of America, and Discover).

Remove your info from public information databases: Sites like Zabasearch and PeopleFinders publish our private information (like address and date of birth) online for all to see. Remove yourself from these lists with this resource.

Regularly back up! No explanation necessary, right?

These steps won't prevent your account from being compromised if a service provider falls for a social engineering hack and hands your account over to the attacker, but they may at least minimize the damage possible and also give you more peace of mind that you're doing as much as you can to protect yourself.